CVE-2024-8529 Scanner

LearnPress is a widely-used Learning Management System (LMS) plugin for WordPress that allows educators and training institutions to create, manage, and sell courses online. Developed by ThimPress, LearnPress is used globally by online schools, eLearning platforms, and independent instructors for providing structured course delivery. The plugin supports various features such as quizzes, lessons, certificates, and payment gateways. It integrates seamlessly with popular WordPress themes and other plugins, offering flexibility for educational websites. Its extensive feature set makes it a go-to solution for building scalable eLearning environments. The plugin is actively maintained and frequently updated with new features and security patches.

The SQL Injection vulnerability exists in LearnPress versions prior to 4.2.7.1 through the 'c_fields' parameter in the `/wp-json/lp/v1/courses/archive-course` REST API endpoint. This vulnerability is unauthenticated, meaning attackers do not need to log in to exploit it. By injecting malicious SQL code into this parameter, attackers can manipulate backend database queries. This enables them to retrieve sensitive data from the database without authorization. The flaw arises due to insufficient input validation and lack of prepared statements in the vulnerable endpoint. Exploiting this flaw could compromise database confidentiality and lead to further attacks.

The vulnerable endpoint is `/wp-json/learnpress/v1/courses` where the `c_fields` parameter is improperly sanitized. The injection technique uses a time-based blind SQL payload, like `(SELECT(0)FROM(SELECT(SLEEP(6)))a)`, to determine the vulnerability through the server’s response delay. When the payload is executed successfully, the server delays its response, confirming the injection point. The attacker does not need any privileges or user account on the WordPress site to carry out the attack. The vulnerability could be reliably detected via timing-based exploitation or content-based matching. Proper mitigation involves sanitizing and validating all input data and using parameterized queries.

Exploiting this vulnerability can allow attackers to extract sensitive information from the database, such as user emails, password hashes, and plugin configurations. This may lead to larger data breaches or be used for further attacks such as privilege escalation. If the attacker gains access to user data, it can result in loss of trust and legal consequences for the affected organization. It could also be leveraged to gather intelligence on the structure and schema of the database. In severe cases, it could expose administrator credentials leading to a complete site compromise. Organizations using vulnerable versions should treat this as a high-priority risk.

REFERENCES

• https://wpscan.com/vulnerability/6b86c089-177b-45b4-979e-4ae08e586e83/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b2671e-0db7-4ba9-b574-a0122959e8fc
• https://nvd.nist.gov/vuln/detail/CVE-2024-8529